Insights from industry experts

6 Sony Breach Lessons We Must Learn

After the complete collapse of network security at
Sony Pictures Entertainment - in the wake of its data breach - the organization's fundamental mistakes deserve to be highlighted; there are lessons to be learned for all. Here's my macro view of the information security lessons every organization should take away:

1. Watch Your Risk Tolerance. First, Sony Pictures appears to have chosen a relatively high level of risk regarding its information security posture. This conclusion is supported both by comments made by its chief information security officer and by e-mails leaked by the attackers. In choosing that posture, it is highly unlikely that Sony's executives anticipated the consequences that would ultimately befall either their enterprise or the nation. Perhaps many enterprises need to rethink the duty they owe to their neighbors.

I have always argued that outsiders damage the brand, but insiders bring down the business. Sony may break that rule.

Sony Pictures is a publishing company. Its "crown jewels" are information assets. Unreleased movies, scripts, agreements with talent, and even technology are Sony's "stock in trade." The compromise of one, or even a few systems on its network should not result in the loss of strategic assets, much less absolutely everything on the network.

2. This is Vandalism, Not War. North Korea was a huge beneficiary of the Sony breach, while the "world's remaining superpower" and another prime adversary - Japan - were both humiliated in name, if not at their instigation. That said, the Sony breach was vandalism, not an act of war. It may even have been purely opportunistic, with a patina of justification added after the fact.

3. Data Exfiltration Must be Caught. The attack used widely available tools against people and weak system and network configurations, rather than exploiting glaring software vulnerabilities. Most significantly, the attack required days to weeks to unfold, and involved all kinds of related, malicious activity, including the exfiltration of hundreds of gigabytes of data - if not more - that should not have gone unrecognized.

4. We're All Vulnerable. We're all at risk from the type of attack that successfully breached Sony. That vulnerability is rooted partly in our culture of freedom, which is valued, but too easily eroded in the face of fear. It is also rooted in our technology infrastructure, which we use widely and depend on heavily, and from which we derive both productivity and comfort. The success of the Sony attack, however, has raised fears - which may or may not be true - that our entire infrastructure is vulnerable to attack, and that as a society we could be not just beneficiaries of the Internet, but also victimized by it.

5. Beware the Business Impact. I have always argued that outsiders damage the brand, but insiders bring down the business. Sony may break that rule. By the time the final cost of this breach is tallied, we will probably have lost interest, but it may be the most damaging attack against a single enterprise that wasn't launched by an insider. I expect that Sony Pictures will survive as a business unit within Sony. Whether it could survive as a stand-alone business is far less certain.

6. These Incidents Make Us All Look Bad. The changing rhetoric from Sony has been less than satisfying. The response of the exhibitors can best be described as craven. The coverage of the media has been gleeful. So far the government has been reduced to the wringing of hands. None of us looks very good. One would like to hope that we take all these lessons to heart, but I fear that in the face of the exponential growth of our information infrastructure, things are likely to get worse before they get better.

The Way Forward

Breaches, of course, are inevitable. But they should not compromise the crown jewels - that intellectual property that is crucial to the business strategy. They should not bring down the business, must not compromise the integrity of the infrastructure, or threaten our freedoms. Some have suggested that the President of the United States should have a "kill switch" that he could use to shut down the Internet so that it cannot be used to attack the power grid or the financial infrastructure. However, since both of these depend on the Internet, this is a solution worse than the problem it sets out to solve.

The solution is this: We must get the fundamentals right. We must use strong authentication and true-end-to-true-end encryption, everywhere. This will increase the time required to successfully execute an attack, make the attack more obvious, and raise the total cost. No less fundamental is the need to improve how we monitor and react. And we can put these fundamentals in place - even if it takes months or years to fully implement - using our available knowledge and tools.

While the Internet is resilient by design, that is a double-edged sword: it ensures availability, but makes it more difficult to address denial of service. Better resisting denial-of-service attacks will require further research, intelligence, new controls, new agreements, and perhaps legislation and treaties. This will take a little longer, but is no less important for making us all more secure.

William Hugh Murray is a management consultant and trainer in information assurance specializing in policy, governance and applications. He is a Certified Information Security Professional and chairman of the governance and professional practices committees of (ISC)Â², the certifying body. He has more than 50 years experience in information technology and more than 40 years in security.

About the Author

Murray is a management consultant and trainer in information assurance, specializing in policy, governance and applications. He is a Certified Information Security Professional (CISSP) and chairman of the Governance and Professional Practices committees of (ISC)², the certifying body. He has more than 50 years of experience in information technology and more than 40 years in security. During more than 25 years with IBM, his management responsibilities included development of access control programs, advising IBM customers on security and the articulation of the IBM security product plan. He is the author of the IBM publication "Information System Security Controls and Procedures." He has been recognized as a founder of the systems audit field and by Information Security Magazine as a Pioneer in Computer Security. In 1999, he was elected a Distinguished Fellow of the Information System Security Association. In 2007, he received the Harold F. Tipton Award in recognition of his lifetime achievement and contribution.